Sizing Up Windows Server 2003

It's been almost six months now since Windows Server 2003 (WS03) was released, so it's time to reflect on whether the product has lived up to its promises. On its web site Microsoft touts WS03 as being able to do things "faster, more securely, and at lower cost," presumably compared to earlier versions of Windows and other platforms like Linux. Is this true? I've been working with it, and here's what I've found.

Faster

So far I've worked with WS03 in domain controller, file/print, and web application server roles, and performance seems equal to or better than that of a similarly configured Windows 2000 server. But performance isn't the only issue that affects how "fast" a platform is; manageability is also important. In other words, is WS03 easier to administer than W2K? Generally speaking (yes, once you get past the stumbling block of unneeded changes to the GUI), the frustrations of SMB signing with down-level clients, the bugs in command-line tools for managing Active Directory, and the confusion over how DNS stub zones and delegations interrelate. And there's also the undocumented changes to how default gateway addresses work, the annoyance of how strict replication kills ghost installation images, the learning curve for the new Group Policy Management Console, and the unsettling feeling that Microsoft is still in the process of releasing bits and pieces of the product long after it left the gate.

But once these hurdles are cleared, the product is easier to administer, with its role-based Manage Your Server wizard, convenience consoles, vastly improved help system, support for multiple object selection and drag and drop in the Active Directory consoles, and simplified backup and restore using Automated System Recovery. You'll also find improved demotion of domain controllers using dcpromo, preinstalled Remote Desktop service that can be enabled using a single checkbox, and dozens of new command-line tools and scripts for managing disks, tasks, processes, Group Policy, device drivers, the boot process, and Active Directory.

Getting back to performance though, http.sys--the new kernel mode HTTP driver--really makes the platform rock as a web application server using IIS 6.0. Unfortunately, the tuning options for http.sys are mostly unclear at this point. Sure, Microsoft has released some details concerning the registry parameters associated with http.sys, but not many recommendations on how to modify them to achieve optimum performance in different situations. And most of the changes I've made while experimenting with http.sys have either degraded performance instead of improving it, or had no observable effect at all. So, while http.sys improves IIS performance, due to poor documentation it's difficult to fine-tune it to squeeze out even greater performance gains.

By the way, http.sys can also perform remote logging (even to a different domain if you use a null session) but I don't recommend this since then you need IPSec to secure the log traffic and this adds overhead. Kudos to Microsoft, though, for including httpcfg.exe in the \Support\Tools folder, as this utility lets you run other HTTP applications on IIS machines (by default IIS 6.0 binds all IP addresses on the machine even if DisableSocketPooling is set to True in the Metabase).

Another undocumented WS03 performance feature is the Logical Prefetcher, a memory management enhancement that first appeared in Windows XP and controls the heuristic by which the kernel decides which pages to prefetch. Reputedly, by playing with the Registry setting for this you improve application responsiveness, though you'll negatively affect boot time, but I have yet to be able to confirm this.

More Secure

On the security end, WS03 is a quantum jump forward over the previous platform. I chose my metaphor carefully here--quantum is a physics word that means "a discrete jump from one energy level to another". So, while the security improvements of the platform are measurable and welcome, there's still lots of room for improvement.

So what has improved then in the platform's security? The root ACL on the system volume has been tightened up, as have default shared folder permissions, hooray! Many network services now run under the low-privileged Local Service and Network Service accounts instead of Local System, and the list of services that start automatically is smaller to reduce the attack surface.

The new Effective Permissions tab on the Advanced page of a file's ACL is helpful for determining if NTFS permissions combine the way you expect--except that the feature doesn't work properly in a workgroup environment.

Restricted Groups are a good way of guarding against elevation of privileges by protecting membership in administrative groups. The new Internet Explorer Enhanced Security Configuration prevents you from downloading unsafe content from Internet sites--though surprisingly even some bits of Microsoft's own web site are blocked when *.microsoft.com is added to the Trusted Sites zone! Local accounts can no longer be used to access remote machines if the account has a null password--duh! And LanManCompatibilityLevel is now set to 2 by default so domain controllers won't generate easily-cracked LanMan responses--that was a no-brainer!

All this sounds well and good, but the reality is WS03 is only a few degrees more secure out of the box than the earlier W2K platform. After all, you'll still have to learn in-depth how security works, make decisions about the number of forests and domains you need, design an effective OU structure for delegation, and baseline suitable security policies and apply them. You'll also have to analyze the security configuration of your machines periodically, monitor your event logs regularly, and take other sensible actions and precautions to ensure your Windows boxes remain secure. In other words, you still need to do all the work it takes to make any operating system secure, trading off manageability against security, maintaining constant vigilance, keeping abreast of the latest advisories, and trusting no one--not even Microsoft, if past fiascos are any measure of future fumbles.

Of course, Microsoft hasn't just hardened its new platform, but it has also provided us with a veritable avalanche of information on how to ensure the platform's security. Unfortunately, much of this documentation, like the Windows Server 2003 Security Guide on Microsoft TechNet, consists of little more than long lists of possible configuration settings with little help on which values are best to choose. When Microsoft began its Trustworthy Computing initiative, people nodded and said, "About time!" Now I sometimes wonder if its aim all along weren't simply to "fill the sky with words" in a misconceived effort to convince businesses how serious it had become about security while in effect simply pushing the burden of securing their products back onto the users themselves.

Lower Cost

As for cost, the product still costs a bundle and the licensing options are like the maze where the Minotaur hid; and unlike Theseus you have to buy your own ball of thread. Licensing for Terminal Services is especially confusing, and if you talk to three different Premiere Support people you typically end up getting three different answers, with all of them more expensive than sticking with your organization's existing Windows 2000 Terminal Services setup. Application development might be quicker using .NET, which could well contribute to lower TCO, but I'm no developer so I can't say for sure. And I'll let the open source crowd fight it out whether Linux or Windows Server 2003 is a cheaper platform to deploy, maintain, and support.

Conclusion

To conclude then, has Microsoft delivered on its promises with the new platform? Yes, there have been definite improvements in performance, manageability, security, and (possible) overall cost. These are indeed quantum improvements--let's hope the next version of Windows takes things to the next level!